The Right to Erasure
One of the fundamental differences between Australian regulation and the GDPR is the right to erasure. Under the GDPR, a person can request to have their data erased. However, the right is not absolute and exceptions apply. If it is no longer necessary to collect an individual’s data, a person can request to have their data deleted. The controller must also take reasonable steps to inform other controllers that they are no longer processing data and remove any copies associated with the data. Ensure your company has new procedures in place to delete customer data to confirm compliance with the GDPR.
The Right To Data Portability Under the GDPR
Another critical difference that exists between Australian privacy laws and the GDPR is the right to data portability. A person has a right under the GDPR to obtain and use their data for their own purpose. Companies need to be able to provide the data in ‘structured, commonly used and machine-readable format.’ It is important to note that there are some exceptions to this rule. This rule creates a sense of transparency because customers can ask for their data at will. Therefore, Australian companies need to have the capacity to distribute the data when necessary.
The Right to Objection
A company could be breaching the GDPR by not providing a right to object. A person can object to the process at any time. This includes direct marketing and processing based on legitimate interests. While this protection already exists in Australia for direct marketing, this scenario can now apply to all situations where data is involved. To ensure that your company, does not breach the regulation, consider providing a forum where customers can make this request.
Right To Restriction Of Processing
Furthermore, similar to the right of objection, companies that do not provide the ability for a restriction on processed data may find themselves in breach. In certain circumstances, an individual has the right to obtain a restriction on the processing of their personal data from the controller. For example, one of these circumstances is where the data is unlawfully processed. In a direct marketing scenario, a person who asks for their data to be restricted prevents the controller from using the data. Therefore, consider how your company uses objected data to prevent breaching the GDPR.
New Direct Obligations On Data Processors
There are new direct data obligations on companies that process data in or outside the EU. A critical term to understand these obligations is processors. A processor determines the purposes and the means of processing personal data EG. A third party like Mail chimp. Some of the new features the GDPR could potentially lead to a breach. Processors must ensure that that they only process data following documented instructions from the controller. They also must have procedures in place to ensure confidentiality. A processor should consider examining all the new rules that apply to them.